3 files changed, 12 insertions, 1 deletions

diff --git a/ANNOUNCE b/ANNOUNCE
index 4a346331d..9de5bd5a1 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -41,6 +41,10 @@ Version 1.6.23rc01 [June 2, 2016]
   Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch.
   Added missing ")" in pngerror.c (Matt Sarrett).
 
+Version 1.6.23rc02 [June 3, 2016]
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/CHANGES b/CHANGES
index e5da9cc68..a8f83afe7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5589,6 +5589,10 @@ Version 1.6.23rc01 [June 2, 2016]
   Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch.
   Added missing ")" in pngerror.c (Matt Sarrett).
 
+Version 1.6.23rc02 [June 3, 2016]
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
+
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
 https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/pngpread.c b/pngpread.c
index 2e0208813..557153366 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -501,7 +501,10 @@ png_push_save_buffer(png_structrp png_ptr)
          png_error(png_ptr, "Insufficient memory for save_buffer");
       }
 
-      memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+      if (old_buffer)
+         memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+      else if (png_ptr->save_buffer_size)
+         png_error(png_ptr, "save_buffer error");
       png_free(png_ptr, old_buffer);
       png_ptr->save_buffer_max = new_max;
    }